End-of-Life (EoL)

Enable Basic WildFire Forwarding

WildFire is a cloud-based virtual environment that analyzes and executes unknown samples (files and email links) and determines the samples to be malicious, grayware, or benign. With WildFire enabled, a Palo Alto Networks firewall can forward unknown samples to WildFire for analysis. For newly-discovered malware, WildFire generates a signature to detect the malware and distributes it to all firewalls with active WildFire licenses. This enables global firewalls to detect and prevent malware found by a single firewall.
A basic WildFire service is included as part of the Palo Alto Networks next generation firewall and does not require a WildFire subscription. With the basic WildFire service, you can enable the firewall to forward portable executable (PE) files. Additionally, if do not have a WildFire subscription, but you do have a Threat Prevention subscription, you can receive signatures for malware WildFire identifies every 24- 48 hours (as part of the antivirus updates).
Beyond the basic WildFire service, a WildFire subscription is required for the firewall to:
  • Get the latest WildFire signatures every five minutes.
  • Forward advanced file types and email links for analysis.
  • Use the WildFire API.
  • Use a WF-500 appliance to host a WildFire private cloud or a WildFire hybrid cloud.
If you have a WildFire subscription, go ahead and get started with WildFire to get the most out of your subscription. Otherwise, take the following steps to enable basic WildFire forwarding:
  1. Confirm that your firewall is registered and that you have a valid support account as well as any subscriptions you require.
    1. Go to the Palo Alto Networks Customer Support web site, log in, and select
      My Devices
      .
    2. Verify that the firewall is listed. If it is not listed, see Register the Firewall.
    3. (Optional)
      If you have a Threat Prevention subscription, be sure to Activate Licenses and Subscriptions.
  2. Configure WildFire forwarding settings.
    1. Select
      Device
      Setup
      WildFire
      and edit the General Settings.
    2. Set the
      WildFire Public Cloud
      field to:
      wildfire.paloaltonetworks.com
      .
    3. Review the
      File Size Limits
      for PEs the firewall forwards for WildFire analysis. set the
      Size Limit
      for PEs that the firewall can forward to the maximum available limit of 10 MB.
      As a WildFire best practice, set the
      Size Limit
      for PEs to the maximum available limit of 10 MB.
    4. Click
      OK
      to save your changes.
  3. Enable the firewall to forward PEs for analysis.
    1. Select
      Objects
      Security Profiles
      WildFire Analysis
      and
      Add
      a new profile rule.
    2. Name
      the new profile rule.
    3. Click
      Add
      to create a forwarding rule and enter a name.
    4. In the
      File Types
      column, add
      pe
      files to the forwarding rule.
    5. In the
      Analysis
      column, select
      public-cloud
      to forward PEs to the WildFire public cloud.
    6. Click
      OK
      .
  4. Apply the new WildFire Analysis profile to traffic that the firewall allows.
    1. Select
      Policies
      Security
      and either select an existing policy or create a new policy as described in Set Up a Basic Security Policy.
    2. Select
      Actions
      and in the Profile Settings section, set the
      Profile Type
      to
      Profiles
      .
    3. Select the
      WildFire Analysis
      profile you just created to apply that profile rule to all traffic this policy allows.
    4. Click
      OK
      .
  5. Enable the firewall to forward decrypted SSL traffic for WildFire analysis.
  6. Review and implement WildFire best practice to ensure that you are getting the most of WildFire detection and prevention capabilities.
  7. Click
    Commit
    to save your configuration updates.
  8. Verify that the firewall is forwarding PE files to the WildFire public cloud.
    Select
    Monitor
    Logs
    WildFire Submissions
    to view log entries for PEs the firewall successfully submitted for WildFire analysis. The
    Verdict
    column displays whether WildFire found the PE to be malicious, grayware, or benign.
  9. (Threat Prevention subscription only)
    If you have a Threat Prevention subscription, but do not have a WildFire subscription, you can still receive WildFire signature updates every 24- 48 hours.
    1. Select
      Device
      Dynamic Updates
      .
    2. Check that the firewall is set to retrieve, download, and install Antivirus updates.

Recommended For You